Filtering intrusion detection system events on a single host

Abstract

Embodiments disclosed herein describe a method to determine consequences of a privilege escalation alert from an intrusion detection system, the method comprising the steps of obtaining privilege escalation alert from the intrusion detection system and analyzing said privilege escalation alert information. The analysis further comprises of identifying the program affected by said privilege escalation alert and determining if it can be circumvented. The users affected by said privilege escalation alert and the transitive effects of said privilege escalation alert are identified.

Description

BACKGROUND[0001]1. Technical Field[0002]The embodiments herein generally relate to network management, and, more particularly, to determining the effects of a privilege escalation alert and identifying appropriate response measures.[0003]2. Description of the Related Art[0004]Snort is widely used, open-source software that monitors network packets and identifies attempted privilege escalations on a computer network or on a single host running an exemplary Operating System (Windows XP / Visyta / 2000,2003, Red Hat Linux, Solaris, HP-UX, etc.). Snort detection system identifies that an attempt is made to circumvent a program that takes input from network by listening on a particular port. Snort provides information about the source of the attempt, and the targeted program port and host identification. There are multiple intrusion detection systems available in the market that have above property. They include ISS Intrusion Product, Snort, and other network and host-based intrusion detecti...

AI Technical Summary

Benefits of technology

[0011]In view of the foregoing, an embodiment herein provides a method and a program storage device readable by computer, tangibly embodying a program of instructions executable by the computer to perform a method to determine consequences of a privilege escalation alert from Snort, the method comprising the steps of obtaining privilege escalation alert from Snort; and analyzing the privilege escalation alert information to determine port targeted, using appropriate tools (such as netstat) to determine the program affected by the privilege escalation alert; identifying if the affected program identified can be circumvented, the user affected by said privilege escalation alert; and transitive effects of the privilege escalation alert. The privilege escalation alert is ignored if said affected program cannot be circumvented. The privilege escalation can be ignored if it is determined that the particular network packet does not have the ability to attack the program. Determining the program affected by the privilege escalation comprises of determining process identifier of process of the program and determining identifying information including process identifier of process of the program. Determining if the affected program identified can be circumvented comprises of verifying vulnerability status of the affected program using external tools (Qualys, eEye Retina scanner, IBM ISS scanner) and v

Problems solved by technology

A recurring weakness of intrusion detection systems is their high false-positive rate.

It is quite common that intrusion detection systems output tens of thousands and hundreds of alerts; many of these alerts are false positives.

Snort alerts do not provide information about the program being targeted.

For example, sendmail SMTP server is considered extremely risky based on the history of problems.

But it is not possible to identify the risk in the attempted escalation by looking at the snort alert because the alert does not provide any information regarding the program.

Also, Snort alerts do not provide information on whether a program can indeed be circumvented on reception of an alert.

Current IDS systems only provide information on which port is being targeted and hence is not possible to distinguish between two different attempts, where one attempt goes to a vulnerable server and another goes to an invulnerable server.

Furthermore, Snort alerts do not provide information on the user account under which a program is running based on an alert.

But, Snort does not provide information about the user account that is being targeted.

Furthermore, Snort alerts do not provide information on transitive effects of the alerts.

The Snort alert does not provide information that it is possible to take control of the administrative account LocalSystem indirectly because of the existing path from NetworkService to LocalSystem.

Hence it is not possible to incorporate information like current background scans and attempted escalations into the framework to analyze current risk profile.

Images